Oracle releases software update to fix Java vulnerability

This discussion thread was locked as off-topic by OKNancy (a host of the Latest Breaking News forum).

Source: CNET

Oracle released an emergency software update today to fix a security vulnerability in its Java software that could give allow attackers to break into computers.

The update, which is available on Oracle's Web site, fixes a critical vulnerability in Oracle's Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

Oracle said the update modifies the way Java interacts with Web applications.

"The default security level for Java applets and web start applications has been increased from 'medium' to 'high," Oracle said in an advisory today. "This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the 'high' setting the user is always warned before any unsigned application is run to prevent silent exploitation."

10. It sounds like they just added a prompt that people can click through to get infected anyway?

2. have disabled Java for now... I'll wait awhile and see

The list on that site doesn't give me confidence this is the end of it...

Current Version

Changes in 1.7.0_11

Earlier Versions

Changes in 1.7.0_10
Changes in 1.7.0_09
Changes in 1.7.0_07
Changes in 1.7.0_06
Changes in 1.7.0_05
Changes in 1.7.0_04
Changes in 1.7.0_03
Changes in 1.7.0_02
Changes in 1.7.0_01
Release Notes for the Original 1.7.0 Release

4. That's probably wise.

Oracle hasn't taken Java seriously. I wouldn't trust that patch.

Forget Oracle's Latest Java Patch. Just Kill The Program In Your Browser For Good

After months of inaction and even a warning from the Department of Homeland Security, Oracle has finally released a fix for yet another security vulnerability in its ubiquitous and notoriously buggy Java software. But there’s already been a fix available that’s remain simpler and far more effective: Kick your Java habit altogether.

Despite Oracle’s new patch, which the company posted to its website Sunday–more than four months after it was informed about the bug by Polish security firm Security Explorations–Java watchers in the security industry are recommending that users give up on the endless cycle of the program’s bugs and fixes and instead turn it off in their browsers for good. “Users should simply disable it,” says H.D. Moore, chief security officer at the security firm Rapid7 who has tested numerous Java exploitation techniques over the last year. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”

-snip-

The bug was just the latest in a series that wracked Oracle for much of 2012. In August a flaw in the software, also reported months earlier by Security Explorations, was exploited by hackers installing malware including the Poison Ivy trojan on target PCs. When Oracle released a patch, Security Explorations quickly found another flaw in the fix that would allow the new security measures to be bypassed. And the company followed that revelation with the discovery of yet another critical bug in the program.

-snip-

Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers’ moves to automatically download and install new versions of themselves. And despite modern browsers’ attempts to prevent websites from gaining access to a PC beyond a limited “sandbox,” Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. “The attack surface is so big,” Kandek says. “In many ways, you don’t want Java to be able to do all the things that it does anymore.”

19. Has anyone ever read the book entitled "The difference between God and Larry Ellision"?

the subtitle is "God doesn't think he is Larry Ellison".

The book deals not only with Larry's ginormas ego, but also the insanity of trying to work with Oracle's products in the earlier days. I started working with Oracle software in 1989, version 5. I worked with it, as a DBA in a customer site for 20 years. Version 5 through 11.

I experienced a lot of the insanity that is talked about in the book. One of my fondest memories is back when they finally got a somewhat stable release of version 6. I found a situation where a feature didn't work as documented. In those days the documentation was all on hard copy and anytime they did an update they sent you a case of manuals. I reported the problem. I was told that it was a known problem and they would send me a fix. True story, the fixed the problem by changing the documentation. They sent me a new copy of the documentation that no longer included the feature.

That being said, I feel like by version 7 or 8, they had the best relational database available for industrial strength UNIX applications.